Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Risk - Sensitive Data Stored Unencrypted in Private Storage Locations [data-unencrypted-private-storage] #2544

Open
4 tasks
cpholguera opened this issue Feb 5, 2024 · 2 comments · May be fixed by #2566
Open
4 tasks

New Risk - Sensitive Data Stored Unencrypted in Private Storage Locations [data-unencrypted-private-storage] #2544

cpholguera opened this issue Feb 5, 2024 · 2 comments · May be fixed by #2566
Assignees
@thomascannon
Labels
MASTG Refactor MASVS-STORAGE
Milestone
MAS Risks and Tes...

Comments

@cpholguera
Copy link
Collaborator

cpholguera commented Feb 5, 2024
edited

Description

Create a new risk for "Sensitive Data Stored Unencrypted in Private Storage Locations (MASVS-STORAGE-1)" using the following information:

Sensitive data may be stored in internal locations without encryption and may be accessible to other apps under certain conditions.

Create "risks/MASVS-STORAGE/1-***-****/data-unencrypted-private-storage/risk.md" including the following content:

---
title: Sensitive Data Stored Unencrypted in Private Storage Locations
alias: data-unencrypted-private-storage
platform: [android, ios]
profiles: [L2]
mappings:
  masvs-v1: [MSTG-STORAGE-2]
  masvs-v2: [MASVS-STORAGE-1, MASVS-CRYPTO-2]
  mastg-v1: [MASTG-TEST-0052, MASTG-TEST-0001]

---

## Overview

## Impact

## Modes of Introduction

## Mitigations

To complete the sections follow the guidelines from Writing MASTG Risks & Tests

When creating the corresponding tests, use the following areas to guide you:

  • envelope encryption (DEK+KEK) or equivalent (Android)
  • Android Security Lib usage (EncryptedFile/EncryptedSharedPreferences) (Android)
  • Don't roll your own storage encryption, use platform provided APIs EncryptedFile/EncryptedSharedPreferences. (Android)
  • iOS KeyChain DataProtection classes (iOS)
  • envelope encryption (DEK+KEK) or equivalent (iOS)
  • sensitive data must not encoded (e.g. base64, simple bit operations such as XOR or bit flipping) instead of encrypted

MASTG v1 Refactoring:

If the risk has a MASVS v1 ID, you can use it to search for related tests in the MASTG and use them as input to define your risks and associated tests.

Acceptance Criteria

  • The risk has been created in the correct directory (risks/MASVS-STORAGE/1-***-****/data-unencrypted-private-storage/risk.md)
  • The risk content follows the guidelines
  • At least one GitHub Issue has been created for the corresponding tests (derived from "Modes of Introduction")
  • The risk indicates the related MASTG v1 tests in its metadata.
@cpholguera
Copy link
Collaborator Author

Assign to @thomascannon

@thomascannon thomascannon mentioned this issue Feb 12, 2024
Closed
@cpholguera
Copy link
Collaborator Author

Hi @thomascannon, I think this PR was automatically closed because the target branch doesn't exist anymore. Sorry about that. Could you please reopen it targeting master? Thank you!

@thomascannon thomascannon linked a pull request Feb 21, 2024 that will close this issue
Open
@titze titze mentioned this issue Feb 23, 2024
Open
4 tasks
@cpholguera cpholguera changed the title New Risk - Sensitive Data Stored Unencrypted in Internal Locations [data-unencrypted-internal] New Risk - Sensitive Data Stored Unencrypted in Private Storage Locations [data-unencrypted-private-storage] May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomascannon thomascannon

Labels
MASTG Refactor MASVS-STORAGE
Projects
None yet
Milestone
MAS Risks and Tests - MASVS-STORAGE
2 participants
@thomascannon @cpholguera